My name is danah boyd and I'm a Principal Researcher at Microsoft Research and the founder/president of Data & Society. Buzzwords in my world include: privacy, context, youth culture, social media, big data. I use this blog to express random thoughts about whatever I'm thinking.

Archive

Putting Privacy Settings in the Context of Use (in Facebook and elsewhere)

A few days ago, Gilad’s eyes opened wide and he called me over to look at his computer. He was on Facebook and he had just discovered a privacy loophole. He had maximized his newsfeed to get as many photo-related bits as possible. As a result, he was regularly informed when his Friends commented on other people’s photos, including photos of people with whom he was not Friends or in the same network as. This is all fine and well. Yet, he found that he could click on those photos and, from there, see the entire photo albums of Friends-of-Friends. Once one of his Friends was tagged in one of those albums, he could see the whole album, even if he couldn’t see the whole profile of the person who owned the album. This gave him a delirious amount of joy because he felt as though he could see photos not intended for him… and he liked it.

There are multiple explanations for what is happening. This may indeed be a bug on the part of Facebook’s. It’s more likely a result of people allowing photos tagged of them to be visible to Friends of Friends through the overly complex privacy settings that even Gilad didn’t know about. Either way, Gilad felt as though he was seeing photos not intended for him. Likewise, I’d bank money that his kid sister’s Friends did not think that tagging those photos with her name would make the whole album available to her brother.

Facebook’s privacy settings are the most flexible and the most confusing privacy settings in the industry. Over and over again, I interview teens (and adults) who think that they’ve set their privacy settings to do one thing and are shocked (and sometimes horrified) to learn that their privacy settings do something else. Furthermore, because of things like tagged photos, people are often unaware of the visibility of content that they did not directly contribute. People continue to get themselves into trouble because they lack the control that they think they have. And this ain’t just about teenagers. Teachers/professors – are you _sure_ that the photos that your friends post and tag with your name aren’t visible to your students? Parents – I know many of you joined to snoop on your kids… now that your high school mates are joining, are your kids snooping on you? Power dynamics are a bitch, whether your 16 or 40.

Why are privacy settings still an abstract process removed from the context of the content itself? Privacy settings shouldn’t just be about control; they should be about the combination of awareness, context, and control. You should understand the visibility of an act during the moment of the act itself and whenever you are accessing the tracings of the act.

Tech developers… I implore you… put privacy information into the context of the content itself. When I post a photo in my album, let me see a list of EVERYONE who can view that photo. When I look at a photo on someone’s profile, let me see everyone else who can view that photo before I go to write a comment. You don’t get people to understand the scale of visibility by tweetling a few privacy settings every few months and having no idea what “Friends of Friends” actually means. If you have that setting on and you go to post a photo and realize that it will be visible to 5,000 people included 10 ex-lovers, you’re going to think twice. Or you’re going to change your privacy settings.

In an ideal world where complex access control wouldn’t destroy a database, I would argue that you should be able to edit the list of people who can see a particular artifact at the time of upload. Thus, if I posted a photo and saw that it was visible to 100 people, I could manually go through and remove 10 of those people without having to create a specific group that is everyone but the unwanted people. I know that this is a database disaster so I can’t ask for it… yet. Y’all should make large-n combinatorial functions computationally feasible eventually, right? ::wink:: In the meantime, let me at least see the visibility level and have the ability to adjust my broad settings in the context of use.

Frankly… I don’t understand why tech companies aren’t doing this. Is it because you don’t want users to realize how visible their content is? Is it because your relational databases are directed and this is annoying to compute? Or is there some other reason that I can’t think of? But seriously, if you want to stop the social disasters that stem from people fucking up their privacy settings, why not put it into context? Why not let them grok how visible their acts are by providing a feedback loop that’ll let them see what’s going on? Please tell me why this is not a rational approach!

In the meantime.. for everyone else… have you looked at your privacy settings lately? Did you really want your profile coming up first when people search for your name in Google? Did you really want those photos tagged with your name to be visible to friends-of-friends? Or your status updates visible to everyone in all of your networks? Think about it. Look at your settings. Do your expectations match with what those setting say?

24 comments to Putting Privacy Settings in the Context of Use (in Facebook and elsewhere)

I’m a founder of an educational app – it’s a directory of interests that works with Facebook to connect students to people like them. It has to be mostly public to work (like the phone book) but I do not want anyone to be unwittingly exposed.

I care deeply about this issue.

In my experience, with our users, the seemingly preferred status is out of site out of mind. Every time we add any feature, our app gets more complicated and users get testy about it.

When we moved live help from one click to two, the help calls went from 10 a week to zero. (And it’s not because they stopped needing help.)

Short point: college students in our focus groups / conversations only seem to care about privacy when they get “caught” or outed.

Up until then, they don’t want to think. They won’t.

I’m with you that it matters. And I’m with you that abstraction makes it worse, but I don’t think the answer is greater granular control at the content. I simply don’t believe that users would use it, and the complexity would reflect badly on any application that tried it.

This is all leaving aside the technical difficulty / expense of trying to implement it. Easier to tackle if you are Facebook. Very tricky for a start up.

“I know that this is a database disaster so I can’t ask for it… yet. Y’all should make large-n combinatorial functions computationally feasible eventually, right?”

It’s not that big a deal in the sense that these apps are already doing major filtering based on who you’re connected with. To throw another math term in there and use it in a colloquial way: these things work based on common denominators that are always handy to the system–and could be made handy to the user. Of course, designing an easy user interface is itself another challenge.

The big, potential can of worms, is in the design around changes to groups. Do you grant permission to a snapshot of a group? or to all current members? or to all current and future members?

“Frankly… I don’t understand why tech companies aren’t doing this. Is it because you don’t want users to realize how visible their content is?”

Conceptually, it’s hard to take a system from very locked-down to pretty open, and also hard to take a system from very open to pretty locked-down.

But, part of it is lack of good example. There are (for example) document management systems that implement all of this level of control (over documents)–but they are starting from a perspective of things being locked-down. There aren’t so many good examples on big, social, web systems–yet.

I think it’s important to keep chanting this mantra of: “let me see and control privacy in context–let me see a list of people / groups, and edit it on the spot.” This needs to be inserted deeper into folks thinking to the point that there are good examples that everyone can see and use.

Having worked for a social network I will 100% say that companies “don’t want users to realize how visible their content is”.

it’s a lot easier to make some thing seem private then go through the trouble of making them private. Facebook has always just stayed one step ahead of what people are most concerned about privacy wise. They are not going to put in more effort then it is worth to them.

Like anything in life, one must have a bit of rigour to understand the ramifications involved. I think the none, friends, and friends-of-friends model works fine. The real question is the extra content or shall we say the secondary associative elements (the non-tagged photos in the friend-of-friend album).

The point is to allow and facilitate connection. If I allow friends-of-friends, one can then infer that I am willing to share that information with a wide group. If I can see more of my friends-of-friends information, I may remember that at one point I had a connection with that person and would then pull that person in closer.

The real issue is that privacy starts at the event level. Any time data (pictures, video, etc) is collected, the subject should discuss fair use. Should that person be incapable of that discussion, that information should not be made public. Of course, this is way too rational for the facebook / myspace crowd and hence we have articles where hiring managers can make a quality judgement based on the secondary information gleaned from these sites.

This is not altogether unsurprising. It’s been a consistent pattern that every social application starts off with a relatively simple set of privacy controls but then gradually adds more and more functionality in order to support more fine grained privacy. Ultimately, they end up with something hideously unworkably complex system of access control lists which is a pain to manage.

We did some work last year on bypassing that sort of system completely by rethinking privacy and how we cognitively process it. The results of which, we published at CHI08.

What we have done is built access on the ability to answer a shared knowledge question such as “What is my favorite thai restaurant” or “what color is the hair of my dog”. We’ve discovered such questions allow people to give a much more fine grained and natural form of access control without the unnecessary overhead of trying to place your entire social network into well defined silos. We’re currently working on building it into a facebook app.

>if I posted a photo and saw that it was visible to 100 people, I could manually go through and remove 10 of those people without having to create a specific group that is everyone but the unwanted people.

Two thoughts on this.

One, it’s less of a scaling issue than it might be, because you keep an exception list / blacklist that probably applies to quite a small minority of content.

Two, there’s a larger problem of information becoming visible through occlusion here, the way some otherwise invisibly distant astronomical bodies are only visible when they pass in front of a star. Say we fix the friends-of-friends problem, and my photo is visible to A but invisible to B. If A comments directly on the photo, you’d reasonably assume that the comment is invisible to B as well. What if A writes on my wall, or references the photo in a status update? Either generally (‘nice photo’ – so B wonders why they can’t see it) or in a way that gives away something about the content (‘HA HA you look TRASHED man’…and B knows why I took that Monday morning off work).

This is a much harder problem and I can’t see a straightforward solution.

>Frankly… I don’t understand why tech companies aren’t doing this. Is it because you don’t want users to realize how visible their content is?

It’s analogous to security issues, I think (in important ways it is actually a security issue, of course). By this I mean that we can’t easily see the value added by fixing it until we’ve been burnt. So it’s an easy problem to ignore, and we’ll care once we’ve been burnt badly enough that we have to care. At the moment I’d suggest it’s a problem that most users don’t even recognise, although I’d also suggest that awareness is coming up fast.

For OneWebDay, we created a guide to help students understand and navigate Facebook’s complicated privacy settings. You can find it here.

Also, regarding your desire for more feedback vis your privacy settings, you might be interested in the work of Kathy Dwyer, who presented a paper calling for this at AoIR. I blog about that here
,/a>.

I don’t understand why tech companies aren’t doing this. Is it because you don’t want users to realize how visible their content is? … Or is there some other reason that I can’t think of? But seriously, if you want to stop the social disasters that stem from people fucking up their privacy settings, why not put it into context?

I think from watching the things said and done by those running Facebook for the last couple of years, it’s safe to assume that they don’t have the same definition of “social disasters” that you or I do – and in fact, that those would be closer to “optimal outcomes” as far as they’re concerned. I won’t belabor this point but suffice to say that they seem to have very/i> different ideas about what sociability, privacy and public spaces are and should than their users.

Also, responding to Kevin’s point that “college students in our focus groups / conversations only seem to care about privacy when they get “caught” or outed. Up until then, they don’t want to think. They won’t.” I’ll note that a recent survey that myself and Fred Stutzman did on current college Facebook users reveals some very, very different data on ideas of and practices regarding privacy. We’ll be presenting some initial findings at our ASIS&T poster session next week – for anyone who happens to be in Columbus, do stop by and say hello.

Jacob – I saw that presentation mentioned on Fred’s blog and the summary looks great. I can’t wait to read it.

I will be cautious however, based on my own experience, that there may a big gap between what students say they want when asked, and what they do when given the opportunity.

(And whether or not they would complain about clutter and complexity if I, as the developer, were to give them the options they said they wanted.)

Your research is right on the mark though – differing social maturity and goals create the need for options. Then general answer can’t be too “small” or too “big”-> enter danah’s request for better / less abstract control.

If you and Fred come up with interface designs, just let me know . . . : )

Exercise caution, I guess. I recently purged my friends list and removed people I didn’t/know like, and to make sure they weren’t able to snoop I added them to a seperate friends list entitled ‘wary’ with extra privacy settings of its own. I noticed the photo loophole myself – and also that sometimes if you’ve a friend in common, or are in the same network, your profile is automatically visible.

I’ve just started at university and everyone has posted their lives on Facebook. There are pictures of people in hotpants, off their faces, cross-dressing or smoking dubious substances and I can see it all, even though I never speak to certain people in the corridors. I remove tags if I don’t like the context and I never put any information about my *actual* life on status updates etc. Why would you? Why would you choose a corporate website to stay in touch with your friends..?

I hope someone does come up with a better tool for “visualizing” privacy settings, but I would have to agree with the comments above that regardless of what students say about privacy there is little evidence that they care enough to use such tools were they to be provided. Software companies will add features when and if there is a demand for them from a significant number of their users. To do otherwise will just send their users elsewhere to products perceived to be less complicated.

Besides, there is nothing an application developer can do to prevent a “friend” from downloading the jpg and then reposting it elsewhere with less restrictions. History shows this is the likely outcome when one becomes even slightly famous, as by running for office or winning a contest of any sort.

Better to put down the glass (or other substance) when someone points the camera at you. And employers need to get over holding their employees accountable for what they wear to Halloween parties.

My thoughts on this issue are a bit vague, but for what it’s worth here they are, in no particular order.

(1) There has been a lot of repurposing of SNS sites. The kinds of uses that get make of them are not what the original developers forsaw. And the paradig,s informing the software have not caught up. Wtf is a “friend” anyway? At least MySpace now qualifies their friend add confirmation to say that if your add is accepted you will be “friends on MySpace” – tacitly acknowledging that this is not quite the same as being “small f” friends IRL.

(2) And, even in real life, there are friends and there are friends. There’s your clique, there’s the nerd kid you hang out with behind the clique’s back, there’s friends from outside your school, there’s people from youe clique who you don’t even like much… et cetera, et cetera, et cetera. Get the picture?

Now, in real life, all this is comfortably vague and manipulable on the fly and there are decades, sometimes even centuries of social conventions to facilitation this manipulation. You never have to confront anybody explicitly and tell them what their status is – with the exception of formalized cliques and the like.

But, when “friendship” is digitized, everything has to become explicit. There is no more wiggle room. If your blocked, you’re blocked. If you’re in Category “A” or “B” or whatever, that status has the definiteness of a sledgehammer to the genitals. There is no provision for ad hoc shadings of status to modify or fine-tune your friends perception of how you relate towards them.

(3) And the very nature of relationships in real life is itself in flux. I doubt that there is any consensus about what categories of relationships exist in a “typical” life. Everybody is rolling their own categories. And even less is there any consesus about what you typically want people in a particular (ill-defined) category to know about you – or not.

How can developers set up a structure that will work for their user base when that user base itself lacks consensus about the nature of the landscape?

(4) I’m tempted to aimply assert that the founders of SNS sites had no real idea of twhat they were getting into. They set up abstract models of relationships within the brawling fluxing heap of living protoplasm that is human society. Brcause, unlike most of their prospective user base, they were abstract thinkers. And then they pitched the technical embodiments of those abstract models to the most brawling and fluxing segment of the heap – the new arrivals (i.e. “youth”).

Why be surprised that none of this turns out as expected? It never could have. “No battle plan survives contact with the enemy”.

Christopher said: “regardless of what students say about privacy there is little evidence that they care enough to use such tools were they to be provided. Software companies will add features when and if there is a demand for them from a significant number of their users”

Is there just a lack of evidence to support the idea students care about privacy, or is there evidence says they _don’t_ care about privacy. There is a difference. I suspect we simply don’t have enough empirical evidence to support the former notion, and merely have anecdotal evidence that makes the latter appear to be true.

And I take pause when I hear the idea that companies should only build privacy protections if/when customers ask for them. At some point we need to be able to expect certain rights to be supported by our tools, regardless of whether the masses explicitly ask for such protection.

My personal beliefs about digital privacy change quicker than I am comfortable with; sometimes I react, other times, I don’t. The lack of reaction does not necessarily imply apathy, sometimes it implies an external conflict, maybe even a subversive strategy. Why pick on developers? There’s plenty of blame to go around.

User’s have varied levels of privacy needs and wants. Similar to social norms that exist offline, users should be able to control what they share and with whom. Privacy settings are a reasonable mechanism (today) to support user communication within the social network environment. If a user could easily control the rate of information being exchanged with other users, similar to an offline exchange, online networks could live up to their potential.

The education and usability of privacy settings is an ongoing evolution and will hopefully serve the user’s needs as it develops.

In this panel discussion, Zoe Margolis argued that given time, nothing is private on the internet. (Listen here: http://violetblue.libsyn.com/index.php?post_id=350906 ) As bleak a view as that may be, it is a fair warning to people posting content. After all, no matter securely your private content seems to be locked up, there’s always some employee of the host company who can see all your private stuff.

Somewhere in this, I know there’s a market for anonymously co-located hardware using encrypted disks and connections, but I can imagine few companies who would abide by that kind of customer…

Also, there’s ongoing debate over who owns the content on these social networks, anyways. (Subscription required: https://www.technologyreview.com/communications/20920/ ) It is in Zuckerberg’s best interest for more people to be able to see more about me, because that increased visibility will pull in more users who will spend more time seeing more advertising. That is not my best interest, but it is the advertisers who are forking over the cash.

Facebook has no easy answers for privacy partially because it’s based on the “networks” model. Back in 2004 when Facebook was only open to a handful of universities (being open to everyone was a long way off), I would have felt less uneasy about keeping all of my information open to everyone in my network (Duke) because almost everyone in it was a fellow undergrad. Nevermind for a moment that FB didn’t even have photo capability at that point. Now, with 4.5 years of expansion, that same network includes lots of alumni, current undergrads, grad/prof students, faculty, staff, etc. Particularly of concern are alumni that may happen to work for an employer that may be thinking of hiring me (hypothetically); would that employer use access to the Duke network to check on my profile, the photos I’m tagged in, etc.? And there are now regional networks, so that if I want to declare that I live in Raleigh/Durham on FB, by default that means anyone else who was declared the same can see my info unless I choose otherwise. By contrast, on Livejournal there is no such comparable feature, so I can limit the content I produce there to either “public,” “friends only” (or a filtered subset of friends), or “private.” I don’t envy FB because it’s very complex to manage, but I also salute you for pointing this out.

Facebook has no easy answers for privacy partially because it’s based on the “networks” model. Back in 2004 when Facebook was only open to a handful of universities (being open to everyone was a long way off), I would have felt less uneasy about keeping all of my information open to everyone in my network (Duke) because almost everyone in it was a fellow undergrad. Nevermind for a moment that FB didn’t even have photo capability at that point. Now, with 4.5 years of expansion, that same network includes lots of alumni, current undergrads, grad/prof students, faculty, staff, etc. Particularly of concern are alumni that may happen to work for an employer that may be thinking of hiring me (hypothetically); would that employer use access to the Duke network to check on my profile, the photos I’m tagged in, etc.? And there are now regional networks, so that if I want to declare that I live in Raleigh/Durham on FB, by default that means anyone else who was declared the same can see my info unless I choose otherwise. By contrast, on Livejournal there is no such comparable feature, so I can limit the content I produce there to either “public,” “friends only” (or a filtered subset of friends), or “private.” I don’t envy FB because it’s very complex to manage, but I also salute you for pointing this out.

“Frankly… I don’t understand why tech companies aren’t doing this. Is it because you don’t want users to realize how visible their content is?”

I’m a developer and I think Facebook is a privacy disaster. And I think it’s frightening. Personally I quit my Facebook account more than a year ago due to this reason.

And yes, I believe that the main reason is because they don’t want user to realize how visible their content is. And they don’t want to lock down the user generated content for the user at the users own premise. Because they fear that users will make the content private. And the less public the content is the less exposure the site will have to search hits on indexing sites like Google or Yahoo.

We had discovered this too last month with faculty interested in using FB with students and experimenting with various settings.

Even when you spend time trying decipher the logic and functionality behind the privacy controls you’re left baffled. For example, there’s include and exclude functions with no explanation of why or what.

I don’t know if it’s negligence or carelessness on the part of FB developers but it’s the worse interface of a major app I’ve ever encountered (OK I’m not on MySpace, so I can’t compare there).

I have a small observation!
“Thus, if I posted a photo and saw that it was visible to 100 people, I could manually go through and remove 10 of those people without having to create a specific group that is everyone but the unwanted people.”

It’s almost imposible to make new friends in this way and this is not the scope of social network! What you propose assumed you have just a small group of friends and that’s all!

Photos in social networks like Facebook or MySpace have a great role for a proper functioning. Without them all the things can change!
The photos in such networks is an important criteria when choose new friends! This is the reality in many cases!

In terms of profit the network must grow! Privacy falls to second place! The network is important not the person! You must connect with as many people as possible not just with ten closely friends! The network must be attractive for anyone to grow! How you make that?

The rules cannot be done like in real world because in real world you have another methods to make new friends which in online doesn’t exist. In the Internet must be found new methods.

I write recently an article about Facebook transformation! Facebook will become a comercial network! You can easily see that!

“Facebook’s privacy settings are the most flexible and the most confusing privacy settings in the industry.” Totally agree! It was designed in such way! I’m programmer!

I try to understand a real semnification of the “friend” term in social networks! Is very confusing! In many case of new friends nobody talks to anybody not even a “hello”! Anyway, I’m stooping here!

Thanks for the article! I’ve changed my privacy settings on Facebook! It is a great feature. I am a teen writer at RadicalParenting.com which is a parenting blog from the kid’s perspective there are 60 teen and tween writers run by teen author, Vanessa Van Petten. We just posted a video of “How to set Privacy Settings in Social Networks” here: